VISA has claimed for some time to be doing everything in their power to secure online payments and accounts from hackers. But now a paper is claiming that a major security flaw may not exist from any fancy magnetic device, or backdoor phishing expeditions. It could be as simple as a quick guess from would-be thieves.

The paper, titled Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? , was released by Newcastle University. In it, the UK based researchers claim that hackers can gain access to financial data in less than ten seconds. And it doesn’t even require anything major to do it.

VISA: Just a Guess Away From Fraud

It is called the Distributed Guessing Attack. Hackers take three randomized numbers and use them to generate multiple CVV codes, the three digit code on the back on cards meant to reduce the risk of fraud.

By targeting various websites and payment platforms, and through the process of elimination, they are able to both guess financial information to make purchases, while avoiding flagging from fraud protection services. Usually, when someone attempts to use a card more than once, it starts up a countdown. A certain number of attempts is allowed before a card is flagged, and has to manually verified by the owner with the institution it came from.

Because they are not making these guesses at one site, it doesn’t flag. Instead, it gives the hackers up to twenty guesses per site without triggering any suspicions. Eventually, they are able to break through and find the financial combination that works. From there they can use the card before the cardholder becomes aware of illegal charges.

Other Cards May Be Unsafe

This particular study only used two services in their study: VISA and MasterCard. They found that MasterCard flagged faster, but it was still vulnerable. It could allow up to ten attempts per site before coming back as suspicious activity. Which doubles the amount of websites needed to spread it out, but still gives hackers a chance.

So far there is no work on if this vulnerability could happen for other brands. But it is likely, as this is a very manual, long form, but effective means of stealing data. Unfortunately, the only way to possibly protect yourself is to add secondary verification steps, such as Verified By VISA, to your account. Even then, it may be possible to be compromised.